Critical vulnerabilities have been found in over a hundred different GE Healthcare imaging and ultrasound products commonly used at hospitals throughout the USA.
If exploited, the vulnerabilities could allow an attacker to gain access to sensitive personal health information (PHI), alter data, and impact the availability of the medical device.
The flaws were discovered by a team of researchers at CyberMDX that launched an investigation after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers.
Researchers observed the issue occurring across several different health delivery organizations (HDOs).
GE Healthcare has confirmed that the vulnerabilities impact 104 radiological devices, including CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, x-ray machines, and ultrasound devices. Certain workstations and imaging devices used in surgery are also at risk.
The healthcare provider has identified mitigations for specific products and releases and has said that it will take proactive measures to ensure proper configuration of the product firewall protection and change default passwords on impacted devices where possible.
“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” said Elad Luz, head of research at CyberMDX.
“Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
The discovery of the vulnerabilities prompted the United States Cybersecurity and Infrastructure Agency (CISA) to issue an ICS Medical Advisory, ICSMA-20-343-01, yesterday.
CISA advised that the vulnerabilities were exploitable remotely and that attackers only required a low skill level to abuse them.
"If exploited, these vulnerabilities could allow an attacker to gain access to affected devices in a way that is comparable with GE (remote) service user privileges," warned CISA.
"A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI."